Skip to content
Microsoft just released its biggest Patch Tuesday ever, with a mammoth 622 fixes including three dangerous zero-days
TechRadar
TechnologyTechRadar··2 min read

Microsoft just released its biggest Patch Tuesday ever, with a mammoth 622 fixes including three dangerous zero-days

Microsoft’s July 2026 Patch Tuesday fixed a record 622 vulnerabilities, including 58 critical, two exploited in the wild, and one publicly disclosed, plus 428 Chromium bugs

Actively abused flaws include CVE‑2026‑56155 (AD FS privilege escalation) and CVE‑2026‑56164 (SharePoint privilege escalation), alongside notable issues in BitLocker and Copilot

Surge in fixes is linked to Microsoft’s use of Anthropic’s Mythos AI, with patch volumes rising sharply since its adoption

Microsoft has released its July 2026 Patch Tuesday download, marking another record-breaking update, addressing hundreds of flaws across the ecosystem.

The release, which is currently rolling out to Microsoft users, fixes a staggering 622 vulnerabilities, including 58 critical-severity ones, two that were observed as being abused in the wild, and one which has already been publicly disclosed.

On top of that, Microsoft shipped fixes for another 428 Chromium bugs, as well.

A jump in numbers

There are simply too many vulnerabilities to mention all of them, however two that are being exploited in the wild are CVE-2026-56155 and CVE-2026-56164. The former is described as an “Insufficient granularity of access control in Active Directory Federation Services (AD FS)” bug, which allows an authorized attacker to elevate privileges locally. It carries a severity score of 7.8/10 (high).

The latter is a “Missing authentication for critical function in Microsoft Office SharePoint” bug that allows an unauthorized attacker to elevate privileges over a network. Microsoft assigned it a medium severity score (5.3/10), but the National Vulnerability Database gave it a 9.8/10 (critical).

Other notable mentions include CVE-2026-50661, a protection mechanism failure in Windows BitLocker that allows unauthorized attackers to bypass a security feature with a physical attack, and CVE-2026-48561, an improper neutralization of special elements used in a command in Microsoft Copilot, that allows an unauthorized attacker to execute code over a network.

If you think fixing 622 vulnerabilities in a month is a lot, you’re absolutely right. It’s well above what Microsoft is used to do, and this is most likely due to the company now using the fabled Mythos - Anthropic’s cybersecurity-oriented AI.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In June 2026, roughly a month and a half after the release of Mythos, Microsoft fixed 206 flaws, which raised eyebrows because it was significantly above the company’s usual amount of bugs fixed.

In May it fixed 120 flaws, in April 167, and in March - 79.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

View original source — TechRadar